[Buildroot] [PATCH] package/libnss: security bump to version 3.73

[Buildroot] [PATCH] package/libnss: security bump to version 3.73

[Peter Korsgaard]

Fixes the following security issue:

- CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
  DER-encoded signatures

For more details, see the advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libnss/libnss.hash | 4 ++--
 package/libnss/libnss.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash
index 3dc6cb185a..803b234c83 100644
--- a/package/libnss/libnss.hash
+++ b/package/libnss/libnss.hash
@@ -1,4 +1,4 @@
-# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/SHA256SUMS
-sha256  6ea60a9ff113e493ea2ab25f41ea75a9fbd10af7903f26f703dac8680732d02e  nss-3.72.tar.gz
+# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/src/SHA256SUMS
+sha256  566d3a68da9b10d7da9ef84eb4fe182f8f04e20d85c55d1bf360bb2c0096d8e5  nss-3.73.tar.gz
 # Locally calculated
 sha256  a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4  nss/COPYING
diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
index 2d880d2336..6504f30d31 100644
--- a/package/libnss/libnss.mk
+++ b/package/libnss/libnss.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBNSS_VERSION = 3.72
+LIBNSS_VERSION = 3.73
 LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
 LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
 LIBNSS_DISTDIR = dist
-- 
2.20.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libnss: security bump to version 3.73

[Giulio Benetti]

Hi Peter,

> Il giorno 2 dic 2021, alle ore 22:34, Peter Korsgaard <peter@korsgaard.com> ha scritto:
> 
> Fixes the following security issue:
> 
> - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
>  DER-encoded signatures
> 
> For more details, see the advisory:
> https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

You’ve beaten me on time :-)

Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Best regards
Giulio Benetti

> ---
> package/libnss/libnss.hash | 4 ++--
> package/libnss/libnss.mk   | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash
> index 3dc6cb185a..803b234c83 100644
> --- a/package/libnss/libnss.hash
> +++ b/package/libnss/libnss.hash
> @@ -1,4 +1,4 @@
> -# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/SHA256SUMS
> -sha256  6ea60a9ff113e493ea2ab25f41ea75a9fbd10af7903f26f703dac8680732d02e  nss-3.72.tar.gz
> +# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/src/SHA256SUMS
> +sha256  566d3a68da9b10d7da9ef84eb4fe182f8f04e20d85c55d1bf360bb2c0096d8e5  nss-3.73.tar.gz
> # Locally calculated
> sha256  a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4  nss/COPYING
> diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
> index 2d880d2336..6504f30d31 100644
> --- a/package/libnss/libnss.mk
> +++ b/package/libnss/libnss.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
> 
> -LIBNSS_VERSION = 3.72
> +LIBNSS_VERSION = 3.73
> LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
> LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
> LIBNSS_DISTDIR = dist
> -- 
> 2.20.1
> 

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libnss: security bump to version 3.73

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 > - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
 >   DER-encoded signatures

 > For more details, see the advisory:
 > https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libnss: security bump to version 3.73

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 >> Fixes the following security issue:
 >> - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
 >> DER-encoded signatures

 >> For more details, see the advisory:
 >> https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/

 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

For 2021.02.x / 2021.08.x I have instead bumped to 3.68.1, which fixes
the same vulnerability.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot